Re: I am one of the people affected/complaining
I received spam from 3 Santander subsidiaries (Santander, Cahoot & Abbey National), in each case sent to a disposable email-address only disclosed to the respective bank. Since I receive no other spam, I'm in no doubt who leaked it.
On 2013-11-04, I contacted Cahoot, but despite receiving a response, received little joy.
On 2013-12-03, I registered my complaint to the Information Commissioner's Office.
They responded on 2013-12-16:
In this case we have decided that it is likely that Santander (Cahoot) has complied with the requirements of the DPA.
This is because Principle 7 of the DPA states that ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’
In practice, this means that an organisation must have appropriate security in place to prevent the personal data they hold being accidentally or deliberately compromised.
In deciding what security is appropriate, the DPA specifies the organisation must consider the harm that might result if data is lost or disclosed, and the nature of the data to be protected.
Therefore the DPA does not dictate what security measures an organisation should have in place. How this is specifically achieved is left to the discretion of the data controller.
It appears from the information provided that Santander have a security measures in place when dealing with personal data and that they have confirmed there is no evidence of a security breach within their systems and there is no evidence available to prove that a breach has occurred.
In light of all of the above, we do not recommend that Santander need to take any action in relation to this matter.
This matter is now closed. Thank you for bringing it to our attention.